F5SecurityonOwaspTop10

Josh Michaels, 2012-24-02

Everyone is familiar with the Owasp Top 10. Below, you will nd some notes on the
Top 10, as well as ways to mitigate these potential threats to your environment. You
can also download the PDF format by clicking the blankie >
This is the rst in a series that will cover the attack vectors and how to apply the
protection methods.

OWASP Attack OWASP DEFINITION F5 PROTECTION

Injection Injection aws, such as SQL, OS, and BIG-IP ASM inspects application trafc and
LDAP injection, occur when untrusted blocks the insertion of malicious scripts. It
data is sent to an interpreter as part of a does so by enforcing injection attack
command or query. The attackers hostilepatterns, enforcing an accurate usage of
data can trick the interpreter into metacharacters within the URI and parameter
A1 executing unintended commands or names.
accessing unauthorized data.
ASM also looks at parameter values and can
enforce pre-dened allowed values, length
and accurate usage of metacharacters.

A2 Cross-Site XSS aws occur whenever an application BIG-IP ASM protects against Cross-Site
Scripting (XSS) takes untrusted data and sends it to a Scripting attacks by enforcing XSS attack
web browser without proper validation patterns, enforcing an accurate usage of
and escaping. XSS allows attackers to metacharacters within the URI and parameter
execute scripts in the victims browser names. ASM also looks at parameter values
which can hijack user sessions, deface and can enforce pre-dened allowed values,
web sites, or redirect the user to length and accurate usage of
malicious sites. metacharacters.

Broken Application functions related to BIG-IP ASM enables protection by:

Authentication authentication and session management
and Session are often not implemented correctly,
Management allowing attackers to compromise
passwords, keys, session tokens, or
exploit other implementation aws to
assume other users identities.
Using ASMs unique login page
enforcement conguration
Enforcing login page timeouts
Enabling application ow
enforcement and dynamic parameter
protection

A3
Using SSL on the login page

Monitoring request attack patterns

Using ASM signed cookies so none

are being manipulated
 Using ASM signed cookies so none
are being manipulated

Insecure Direct A direct object reference occurs when a BIG-IP ASM mitigates this vulnerability by
Object developer exposes a reference to an enforcing dynamic parameters (making sure
References internal implementation object, such as a values that were set by the server will not be
le, directory,or database key. Without an changed on the client side). Also the admin.
access control check or other protection, can whitelist the allowed URLs for the
attackers can manipulate these specic application and scan the requests
references to access unauthorized data. with attack patterns.

If a hacker changes his account number

to another random number hoping to
access a different users account they
A4 can manipulate those references to
access other objects without
authorization. These can include:

Fraud (price changes, user ID

changes)

Session highjacking

Enforcing parameter values with

high parameters

Cross-Site A CSRF attack forces a logged-on BIG-IP ASM mitigates CSRF attacks by
Request Forgeryvictims browser to send a forged HTTP adding a random nonce to every URL. This
(CSRF) request, including the victims session nonce cannot be guessed in advance by an
cookie and any other automatically attacker and therefore makes the attack
included authentication information, to a almost impossible. In addition, ASM is
vulnerable web application. This allows preventing XSS within an application and
the attacker to force the victims browser enforcing the application ow and dynamic
to generate requests the vulnerable parameter values.
application thinks are legitimate requests
from the victim. With ow access, a session timeout can
A5
be combined with an F5 iRule designed to
note referrer header check to minimize CSRF.
For instance, ow enforcement mitigates
CSRF by limiting the entry points or web
pages of attacks along with session timeouts
being short. If referring to say
www.food.com, ASM checks the referrer
header in the URL to make sure its
food.com.

Security Good security requires having a secure BIG-IP ASM can mitigate attacks that are
Miscongurationconguration dened and deployed for related to misconguration by using a broad
the application, frameworks, application range of controls starting with:
server, web server, database server, and RFC enforcement
platform. All these settings should be Enforcing various limits on the
dened, implemented, and maintained as requests
 Miscongurationconguration dened and deployed for
the application, frameworks, application range of controls starting with:
server, web server, database server, and
platform. All these settings should be
dened, implemented, and maintained as
A6
many are not shipped with secure
defaults. This includes keeping all
software up to
date, including all code libraries used by
the application.
related to misconguration by using a broad
RFC enforcement
Enforcing various limits on the
requests
Whitelisting the URLs and
parameters names and values
Enforcing a login page
Being a native full reverse proxy

Insecure Many web applications do not properly While this isnt directly related to BIG-IP ASM
Cryptographic protect sensitive data, such as credit or WAF, OWASP is mostly concerned with
Storage cards, SSNs, and authentication what type of encryption is used and how it is
credentials, with appropriate encryption used. These are both outside of the
or hashing. Attackers may steal or modify enforcement purview of ASM; however, ASM
such weakly protected data to conduct delivers the following:
identity theft, credit card fraud, or other Data Guard - if someone managed to
crimes. cause an information leakage, Data
A7 Guard can block it

BIG-IP certicate management allows

the user to store private keys in a
central and secure place.

Failure to Many web applications check URL There are multiple ways that BIG-IP ASM can
Restrict URL access rights before rendering protected mitigate this issue. , ASM enforces allowed
Access links and buttons. However, applications le types and URLs, and accurate parameter
need to perform similar access control values and login pages.
checks each time these pages are
accessed, or attackers will be able to BIG-IP ASMs ow technology ensures that
A8 forge URLs to access these hidden site content is only accessed by users that
pages anyway. have acquired the proper credentials or
visited the prerequisite pages. Users can only
visit personal web pages if they have come
from the say a user ID and password sign on
web page.

Insufcient Applications frequently fail to BIG-IP ASM signicantly simplies the

Transport Layer authenticate, encrypt, and protect the
Protection condentiality and integrity of sensitive
network trafc. When they do, they
sometimes support weak algorithms, use single location rather than distributed over
expired or invalid certicates, or do not
use them correctly.
implementation of SSL and certicate
management by centralizing the location and
administration of the server certicates in a
farms of servers.
Also, by moving SSL handshaking and
encryption to BIG-IP ASM, the Web servers
gain an increased level of performance and
efciency.

In addition ASM allows you to do the

following :
 following :

Require SSL for all sensitive pages.

Non-SSL requests to these pages
redirected to the SSL page. Use BIG-IP
SSL Acceleration in general for the
whole application
A9

Set the secure ag on all sensitive

cookies

Congure your SSL provider to only

support strong (e.g., FIPS 140-2
compliant) algorithms. (Use BIG-IP
6900, 8900)

Ensure your certicate is valid, not

expired, not revoked, and matches all
domains used by the site. You can
check with EM or scripts from
Devcentral

Backend and other connections

should also use SSL or other
encryption technologies. Use re-
encryption with Server-SSL-prole

Unvalidated Web applications frequently redirect and BIG-IP ASM mitigates this issue by enforcing
Redirects and forward users to other pages and unique attack patterns, enforcing accurate
Forwards websites, and use untrusted data to values of parameters and enforcing dynamic
determine the destination pages. Withoutparameters.
A10
proper validation, attackers can redirect
victims to phishing or malware sites, or
use forwards to access unauthorized
pages.

F5 Networks, Inc. | 401 Elliot Avenue West, Seattle, WA 98119 | 888-882-4447 | f5.com
F5 Networks, Inc. F5 Networks F5 Networks Ltd. F5 Networks
Corporate Headquarters Asia-Pacific Europe/Middle-East/Africa Japan K.K.
info@f5.com apacinfo@f5.com emeainfo@f5.com f5j-info@f5.com

2017 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5
trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no
endorsement or affiliation, express or implied, claimed by F5. CS04-00015 0113